input {
  {{ item.protocol }} {
    port => {{ item.port }}
    tags => ["cisco-asa"]
  }
}

filter {
  if "cisco-asa" in[tags]{
    fingerprint {
      target => "[@metadata][uuid]"
      method => "UUID"
    }
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      match => [
        "message", "%{ESGCISCOFWUNKNOWN}"
      ]
    }
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      match => [
        "log_msg", "%{ESGCISCOFW106001}",
        "log_msg", "%{ESGCISCOFW106006_106007_106010}",
        "log_msg", "%{ESGCISCOFW106014}",
        "log_msg", "%{ESGCISCOFW106015}",
        "log_msg", "%{ESGCISCOFW106021}",
        "log_msg", "%{ESGCISCOFW106023}",
        "log_msg", "%{ESGCISCOFW106100}",
        "log_msg", "%{ESGCISCOFW110002}",
        "log_msg", "%{ESGCISCOFW302010}",
        "log_msg", "%{ESGCISCOFW302013_302014_302015_302016}",
        "log_msg", "%{ESGCISCOFW302020_302021}",
        "log_msg", "%{ESGCISCOFW305011}",
        "log_msg", "%{ESGCISCOFW313001_313004_313008}",
        "log_msg", "%{ESGCISCOFW402117}",
        "log_msg", "%{ESGCISCOFW402119}",
        "log_msg", "%{ESGCISCOFW419001}",
        "log_msg", "%{ESGCISCOFW419002}",
        "log_msg", "%{ESGCISCOFW500004}",
        "log_msg", "%{ESGCISCOFW602303_602304}",
        "log_msg", "%{ESGCISCOFW710001_710002_710003_710005_710006}",
        "log_msg", "%{ESGCISCOFW713172}",
        "log_msg", "%{ESGCISCOFW722051}",
        "log_msg", "%{ESGCISCOFW722037}",
        "log_msg", "%{ESGCISCOFW113019}",
        "log_msg", "%{ESGCISCOFW7500_03_12}",
        "log_msg", "%{ESGCISCOFW733100}"
      ]

    }
    syslog_pri {}
    geoip {
      source => "src_ip"
      target => "geoip"
      database => "/etc/logstash/GeoLite2-City.mmdb"
    }
    mutate {
      remove_field => ["message", "log_msg"]
      gsub => ["event-code", "4-106023", "Reject"]
      gsub => ["event-code", "4-419002", "Duplicate TCP SYN"]
      gsub => ["event-code", "3-710003", "Reject"]
      gsub => ["event-code", "2-106001", "Reject"]
      gsub => ["event-code", "4-313005", "ICMP Reject"]
      gsub => ["event-code", "3-313001", "ICMP Reject"]
      gsub => ["event-code", "3-210007", "LU allocate xlate failed"]
      gsub => ["event-code", "2-106017", "Land Atack"]
      gsub => ["event-code", "4-722051", "Remconn address assigned"]
      gsub => ["event-code", "4-113019", "Remconn session disconnected"]
      gsub => ["event-code", "4-722037", "Remconn closing connection"]
      gsub => ["event-code", "4-722041", "Remconn IPv6 not available"]
      gsub => ["event-code", "3-713194", "IKE delete"]
      gsub => ["event-code", "4-405001", "ARP collision"]
      gsub => ["event-code", "4-750003", "IKEv2 Error"]
      gsub => ["event-code", "4-750012", "IKEv2 Error"]
    }
  }
}

output {
  if "cisco-asa" in[tags]{
    elasticsearch {
      hosts => ['{{ logstash_elastic_hosts | list | join(":" + logstash_elastic_port + "', '") }}:{{ logstash_elastic_port }}']
      ssl_certificate_verification => false
      ssl => {% if logstash_elastic_stack_auth | bool and logstash_elastic_stack_https | bool %}true{% else %}false{% endif %}

      user => "{{ logstash_elastic_stack_user }}"
      password => "{{ logstash_elastic_stack_pass }}"
      index => "cisco-asa-%{+YYYY.MM.dd}"
{% if logstash_version.split('.')[0] != '5' %}
      ilm_enabled => true
{% endif %}
      template => "/etc/logstash/template/elastic-cisco-asa-template.json"
      template_name => "cisco-asa"
      template_overwrite => true
      document_type => "_doc"
      document_id => "%{[@metadata][uuid]}"
    }
  }
}
